You may have seen the headline "Apple forced to approve Porn App on EU iPhones due to DMA" (per @9to5mac, or other variations).
But why is the European Commission doing this?
And what could that mean for other mobile platforms like Android in Europe?
π§΅
x.com/9to5mac/status/1886521736922878222
On Monday, AltStore announced the launch of Hot Tub, "the world's 1st Apple-approved porn app". AltStore is one of the new app stores that have been able to launch on iOS because of Europe's Digital Markets Act
When the DMA obligations started to apply in March of last year, AltStore got a lot of visibility, but for some of the wrong reasons. It was held up by the Commission as one of the successes of the DMA, but it was rife with piracy and other problems x.com/KayJebelli/status/1775521427636039914
It seems that AltStore has moved on from piracy to porn. And is claiming its App is now "Apple Approved" because of the DMA. Which would be quite a change, since Apple has long moderated porn and other types of Apps that it deems inappropriate.
As reported by @MathieuPollet_ and @egreechee this morning in Politico MT, DMA enforcers aren't really worried about the lack of moderation, in their view, the DMA is a success because it allows different App Stores with different App Store policies. pro.politico.eu/news/behind-the-scenes-of-the-iphones-first-porn-app
The logic here is that Apple is so big that it's like an infrastructure provider, and it shouldn't be exercising editorial control over its ecosystem. It's something that I heard often when I was involved in the DMA negotiations. x.com/KayJebelli/status/1769656071289700753
In the EC's view, Apple shouldn't be setting a baseline minimum standard for Apps, that's the job of law enforcement. It's something that was reiterated by the Commission in this case as well, as reported by @audevdh and @Fra_Miche in today's Politico FP pro.politico.eu/news/europes-self-preferencing
In other words, it's for the alternate app and app stores to make sure they comply with all the relevant laws, whether that's age verification, or the legality of any of the content being hosted on those sites, regardless of the fact that they're ending up on Apple devices.
There's two problems with this thinking of course, (1) the EC can't possible police all apps, there are over 2 million of them. businessofapps.com/data/app-stores/
Authorities can go after big players (e.g. the Dutch authority fined Epic last year for taking advantage of children through their Apps). But it helps to have platforms imposing standards as well (addressing what economists call "negative externalities") x.com/KayJebelli/status/1790750961251836025
Just as important, (2) platforms have a right to editorialise what the users experience on the platforms they've built. Steve Jobs had one of his "if you don't like it go buy an Android" comments on the very topic. That's how platforms differentiate. techcrunch.com/2010/04/19/steve-jobs-android-porn/
So this App isn't really "Apple Approved", and even though the DMA forces Apple to carry it, Apple is not being allowed to moderate on its platform (unfortunately). Apple can only check that Apps on 3rd party App stores won't brick the phone. threads.net/@rileytestut/post/DFoHGkfubnh
But that's not enough to address the negative externalities. As Apple notes, having these kinds of Apps on Apple devices changes the user experience, and could undermine consumer trust and confidence, and devalues Apple's protected image techcrunch.com/2025/02/03/hot-tub-the-first-native-iphone-porn-app-arrives-in-eu/
There's a nice post on this by @eric_seufert on how misguided it is x.com/eric_seufert/status/1887186201574318367
This problem is of course exacerbated when the App is being advertised as "Apple approved", a problem that the EC should have foreseen, but apparently isn't trying to do anything to stop (odd, given the EC is operating on the assumption that each App will "act responsibly")
But even if the EC minimises this problem, the bigger one is that users might be slow to adapt to the risks. As pointed out by @MBarczentewicz, platform operators have protected users from risks they may be unprepared to face under the DMA truthonthemarket.com/2025/02/04/the-dmas-challenge-to-user-safety-lessons-from-apples-porn-app-controversy/
The EC seems to be making bad policy choices here, promoting a narrow victory for rival app developers which will likely have little actual consumer benefit, but put a lot of users at risks.
Note, as reported by @SarahPerezTC, AltStore is backed by Epic Games. Epic Games is also suing Apple because it isn't happy having to pay Apple for distributing Epic's apps in the App Store. techcrunch.com/2024/08/15/epic-games-megagrant-makes-eu-alternative-app-store-altstore-pal-available-for-free/
It's a bit odd that Epic would want to promote this "porn app" as the win for the DMA, and force the EC to defend the risks caused. When I think most consumers can pretty easily understand that the costs and risks are not worth the benefits.
But that's in the context of Apple's ecosystem, where alternate apps still need to go through alternate app stores and still have some notarization checks before they can be installed. The situation is far far worse on Android.
I looked into this issue back in December and I wasn't sure how Apple was mitigating the risk from link outs when it changed its policy, but it's clear now that this notarization (and "approval") is how. But it's not the same for Android x.com/KayJebelli/status/1863320299837743251
When Apple first announced the changes to its link-out policy as a result of the DMA, I was wondering how this would work with security, but notarization is their solution. But that solution doesn't work for Android. x.com/KayJebelli/status/1821597428090597726
Unlike on iOS, Android doesn't notarize all app downloads. In part due to its open source nature, android apps can be developed without Google's "approval" and can run on Android phones (sideloaded). It means a more "open" ecosystem for developers, and a bit more flexibility.
And these sideloaded apps are making their way onto Android phones. According to Google, 80% of Android devices have an app installed from outside their app store, Google Play. blog.google/outreach-initiatives/public-policy/how-android-and-google-play-drive-global-growth/
But since this attack-vector is open, Google has taken steps to minimise the risk, by limiting how apps that ARE approved for the Play store, can link out to these 3rd-party un-checked apps. Practically speaking, Google doesn't allow this kind of 3rd-party link-out.
Links in Android apps have to go to a website domain owned by the app developer, and that has to be verified. But if the EC takes the same approach to Android as it does to iOS, then these links could go to 3rd-party websites developer.android.com/training/app-links
That's not such a problem for iOS, because as we see here, Apple notarizes all the apps. But Android doesn't. That means "approved" apps from the Play store could end up linking out to all kinds of malware and Android couldn't do anything to prevent this.
Malware is a serious issue. Just a couple of years ago an international law enforcement operation involving 11 countries was needed to take down a malware known as FluBot that was stealing passwords, online banking details, and other sensitive information europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones
This kind of malware will spread a lot easier if Google can't police link-outs from official "approved" android apps. But again, this is because of the EC's disapproval of platforms "policing" their ecosystem. It's a bias against all kinds of "gatekeeping", even beneficial ones.
Hopefully the EC can take lessons from the Apple example, the concerns raised have proven correct there. The concerns with Android are even worse, because it would facilitate distribution of un-notarized software from within Play approved apps.
Android already has sideloading, so it's even harder to see what the actual consumer benefit is here, and it will be even harder for the EC to defend than the "Apple approved" porn app.
And given the risk from unnotarized apps is far greater, I hope the EC doesn't want to try.
Kay Jebelli πΊπ¦
@KayJebelli
Computer engineer/competition lawyer; TCK, European by choice; personal views expressed. Pro-abundance policy, with clients in the technology industry.